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<rdoc> 

<regexp-query> 

<name>Possible SGID Exploit</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 



</next> 
<next> 

</neS> Aar9S=M[V_NWUV/ pid=S(Xd+ ^ PPid=\(%U\).*</line> 

</pattern> 
<procmatch> 

<actionpair> 

<line>. *args=\ ( ( [\-\ w \\\/ ] +) \> . *p pid= \ [%m , _ * </line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">41%</varop> 

</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Possible SGID Exploit: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<regexp-query> 

<name>Possible SUID Exploit</name> 
<properties> 

<priority>10< /priority> 
</properties> 
<pattern> 



<line>.*exec args=. *pid=\ [ (\d+) \) ; ppid=\ ( \d+\ ) ; uid=\ ( [1-9] \d*\) I 
euid=\(0\) .*</line> 
</next> 
<next> 

<line>.*args=\(.+\); pid=\(\d+\); ppid=\ (%L%\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*args=\(.+)\); pid=\(\d+\); ppid=\(%l%\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">U%</varop> 
</action> 



</procmatch> 

<annotation> 

<text>Possible SUID Exploit: %agg!</text> 

</annotation> 
</regexp-query> 
</doc> 



<next> 




<doc> 

<regexp-query> 

<name>All Processes</name> 
<properties> 

<priority>10</prionty> 
</properties> 

<next> 

<line>. *proclog.*args=\ ( ( [\-\.\w\\\/ ] +) \) . *</li 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*args=\(([\-\.\w\\\/ ]+)\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 



</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>Find Processes. . ,</name> 
<properties> 

<priority>10</priority> 
</properties> 

<args>.+</args> 

<pid>\d+</pid> 

<ppid>\d+</ppid> 

<uid>\d+</uid> 

<euid>\d+</euid> 

<gid>\d+</gid> 

<egid>\d+</egid> 
</args> 
<pattern> 

<next> 

<line>.*args=\(%args%\); pid=\ (%pid%\) ; ppid=\ (%ppid%\) ; 
uid=\(%uid%\); euid=\ (%euid%\) ; gid=\ UgidU) ; egid=\ (%egid%\) .*</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*args=\ ( ( . + ) \) ; pid. *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var= n agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text> Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>All Shell-spawned Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=\ (-sh\) ; pid=\ ( (\d+) \) .*</line> 
</next> 

<line>. *args=\ ( { [\-\w\\\/ ] +) \) . *ppid=\ . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. +args=\ ( ( [\-\w\\\/ ] +) \) . *ppid=\ ) . *</line> 
<action> 

<highlight/> 

<varop var="agg">%ll</varop> 
</action> 
</actionpair> 
</procraatch> 
<annotation> 

<text>Executed from a shell: lagg%</text> 
</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name> Incoming Connect ions</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>, *incoming connection f rom=\ ( . +\) . *</line> 

</pattern> 
<procmatch> 

<actionpair> 

<line>.*incoming connection frora=\ ((.+):(.+) \) 
to=\{{.+) : (.+)\) .*</line> 



<highlight/> 
<delete/> 

<varop var= "f romip">ll%</yarop> 
<varop var= "f romport">%2%</ r varop> 
<varop var= "toip">S3K/varop> 
<varop var= "toport">%4%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Incoming Connection From IP: %fromip% (on port: %fromport%) To 
IP: ltoip% (on port: %toport%) </text> 

</annotation> 
</ r egexp-query> 
</doc> 



<action> 




<doc> 

<regexp-query> 

<name>Keystrokes Entered</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*read stream data, id=\((\d+)\) data=\ ( . +\ ) . *</line> 
</next> 

<next fromprev="l"> 

<line>.*read stream data, id=\(%l%\) data=\ { . *\\0 [ad4 J . *\ ) . *</line> 

<7next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*read stream data, id=\{%l%\) data=\{ (.+) \) .*</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Keystrokes Entered: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



cregexp-query> 

<name>Screen Output</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<line>.*write stream data, id=\( (\d+)\) data=\{.+\) -*</line> 
</next> 

<next fromprev="l"> 

<line>.*write stream data, id=\(%l%\) 
data=\(.*\\0[ad46] .*\) .*</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*write stream data, id=\(%l%\) data=\ ( ( .+) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Output to screen: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 




<regexp-query> 

<name>Find Monitored</name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

<file_name>.+</file_name> 

<pid>\d+</pid> 
</args> 
<pattern> 

<next> 

<line>.*monitored file opened name=\ (%file_narae%\) 
pid=\ (lpid%\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*monitored file opened name=\ ( ( . +) \) 
pid=\((.+)\).*</line> 

<action> 

<highlight/> 
<delete/> 

<varop var="filename">%lWvarop> 
<varop var="pidvar">%2%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>File Opened: %filenamel (from pid: %pidvar%) </text> 
</annotation> 
</regexp-query> 
</doc> 



